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REMARKS 

Claims 1-15 are all the claims pending in the application. Applicants respectfully 
traverse these objections/rejections based on the following discussion. 

I. The 35 U.S.C. §101 Rejection 

Claims 6 and 8-11 stand rejected under 35 U.S .C. § 1 0 1 , second paragraph. In order to 
overcome this rejection, independent claim 6 has been amended to define "... computer software 
recorded on a computer-readable medium, said software comprising instructions executable by 
said computer system, said instructions causing said computer system to . . ." The Office Action 
indicates that software, programming, instructions, or code not claimed as being computer 
executable are not statutory. In contrast, when a claimed computer-readable medium encoded 
with a computer program defines structural and functional interrelationships within the computer 
and the program and the computer is capable of executing the program, the program will be 
statutory. Applicants respectfully submit that independent claim 6 now defines that the "software 
comprising instructions executable by said computer system" and that the "instructions causing 
said computer system to" provides the requisite interrelationship between the program and the 
computer capable of executing the program. 

In view of the foregoing, the Examiner is respectfully requested to reconsider and 
withdraw this rejection. 

II. The Prior Art Rejections 

Claims 1-15 stand rejected under 35 U.S.C. 103(a) as being unpatentable over Chan et al, 
hereinafter "Chan" (6,889,375) in view of Hung Chak Kuen Patrick's "A Secure Workflow 
Model" Australian computer Society, Inc.; pages 33-41, hereinafter "Patrick" identified as item 
1-U on the 892 Form attached to the Office Action. Applicants respectfully traverse these 
rejections based on the following discussion. 

A. Patrick Not Prior Art 

Applicants initially traverse this rejection because the Patrick reference has not 
necessarily been shown to be dated prior to applicants filing date, and therefore it is Applicants' 
position that, until shown otherwise, Patrick is not valid prior art against the pending application. 

More specifically, this application was filed on December 5, 2003. The Patrick reference 
(1-U on the 892 Form) only includes a general copyright date of 2003, and the bottom of the first 
column of the Patrick paper indicates that it was presented at the 2003 Australian Information 
Security Workshop. Applicants are not aware and have not been provided the date when that 
conference occurred. In addition, the 892 Form attached to the Office Action only indicates the 
date for reference 1-U as being within the year 2003. 

Therefore, it is Applicants' position that the conference where the Patrick paper was 
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presented could have occurred after December 5, 2003 and that Patrick is not necessarily prior 
art. Applicants submit that, until proven otherwise, Patrick should not be considered prior art 
against the currently pending patent application. 

B. The Proposed Combination of References Does Not Teach the Claimed 
Invention 

Notwithstanding that the Patrick reference may not be valid prior art, Applicants note that 
the proposed combination of Chan and Patrick does not teach or suggest the invention as is 
currently claimed. More specifically, the proposed combination of references does not teach or 
suggest basing cost functions upon the amount and duration of information exposed between 
processing steps of a workflow in order to identify the workflow that has the lowest exposure 
cost function. To the contrary, the claimed invention provides an "exposure cost measure being 
based upon, in part, details of critical information that is temporarily stored between processing 
steps within each of said possible workflows." 

As explained on page 4, lines 1 8-26 of Applicants' specification, a given workflow will 
not have any exposure if information that is produced is consumed by the very next stage. This 
can also be thought of as "just-in-time" production of inputs for the next stage. Exposure is 
avoided as information that is produced at any stage is consumed by the very next stage. To the 
contrary, if any workflow produces information that is unused for more than one step, 
information must be stored temporarily. In such a situation, security and resource overhead 
implications consequently exist and the claimed invention addresses such issues. 

The Office Action admits that Chan does not explicitly disclose the process of calculating 
an exposure measure for each of the possible workflows and the Office Action refers to Patrick 
for teaching such features (for example, see the Office Action, page 5, last paragraph). However, 
Applicants submit that Patrick is limited to disclosing an enhanced secure workflow, but is not 
directed to selecting between different workflows based upon an exposure cost measure. Further, 
Patrick does not disclose that the exposure cost measure is "based upon, in part, details of critical 
information that is temporarily stored between processing steps within each of said possible 
workflows." 

More specifically, the introduction Section of Patrick explains that it is important for 
workflow management systems to protect all information of a workflow within a secure 
framework. The secure workflow models in Section 3 of Patrick principally evaluate whether a 
workflow is secure or unsecure, and provide various tests to determine whether it should be 
considered unsecure. These tests include, for example, looking at a workflow layer (Section 3.1); 
looking at a control layer (Section 3.2); looking at a data layer (Section 3.3). As explained in 
Section 4 of Patrick, the novel aspect of Patrick is separating the various aspects of control in a 
workflow and portraying them as a multi-layered architecture for analyzing the flow of 
authorizations. The secure workflow model is used to ensure the security properties of integrity, 
authorization, and availability. 

Therefore, while Patrick utilizes workflow layers, control layers, and data layers to 
determine whether a specific workflow is secure or unsecure, Patrick does not teach or suggest 
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calculating exposure cost measures in a cost minimization operation to evaluate which of a 
number of different workflows produces the lowest exposure cost measure. Further, while 
Patrick looks at workflow layers, control layers, and data layers, Patrick does not base the 
evaluation upon whether data is temporarily stored between processing steps. 

Therefore, it is Applicants' position that the combination of Chan and Patrick does not 
teach or suggest the claimed features of "calculating an exposure cost measure for each of the 
possible workflows in the set of possible workflows, said exposure cost measure being based 
upon, in part, details of critical information that is temporarily stored between processing steps 
within each of said possible workflows; and selecting the constructed set of possible workflows 
for which the predetermined exposure cost measure is calculated to be a minimum" that is 
defined by independent claims 1 and 7, and similarly defined by independent claim 6. 

In view of the foregoing, Applicants submit that independent claims 1, 6, and 7 are 
patentable over the proposed combination of Chan and Patrick. In addition, dependent claims 2- 
5 and 8-15 are similarly patentable, not only because they depend from a patentable independent 
claim, but also because of the additional features of the invention they define. In view of the 
foregoing, the Examiner is respectfully requested to reconsider and withdraw this rejection. 

C. Applicants Traverse the Taking of Official Notice 

At various points in the Office Action, the rejection relies upon the taking of Official 
Notice. Applicants hereby explicitly traverse all such takings of Official Notice and request 
specific proof of the items proposed to be well-known in the takings of Office Action. Further, 
Applicants deny that such items are well-known and do not make any admissions with respect to 
the items suggested in the various takings of Official Notice. 

More specifically, on page 5, second paragraph, and page 12, second paragraph, the 
Office Action states that Official Notice is taken that using quantifiable methods to measure data 
describing the state or performance of a system process, such as link duration, or amount of an 
event or output, or a combination of multiple descriptive measures, is old and well known in the 
art. Applicants respectfully disagree in that such a statement is factually incorrect. It has not 
been shown previously for one ordinarily skilled in the art to utilize the amount and duration of 
information exposed between processing steps of a workflow in order to identify the workflow 
that has the lowest exposure cost function. 

Quite to the contrary, as illustrated by both Chan and Patrick, when attempting to provide 
a secure workflow model, Patrick utilizes workflow layers, control layers, and data layers to 
determine whether a specific workflow is secure or unsecure. Neither Patrick nor any of the 
other prior art of record address issues, such as the quantity of data that is temporarily stored, or 
the length of time such data is stored between processing steps. 

Therefore, it is Applicants' position that the statement of Official Notice is incorrect, and 
any reliance upon such statements is without basis. Further, Applicants request demonstrative 
proof before any such statement should be considered as admitted. 



7 



10/729,814 



III. Formal Matters and Conclusion 

In view of the foregoing, Applicants submit that claims 1-15, all the claims presently 
pending in the application, are patentably distinct from the prior art of record and are in condition 
for allowance. The Examiner is respectfully requested to pass the above application to issue at 
the earliest possible time. 

Should the Examiner find the application to be other than in condition for allowance, the 
Examiner is requested to contact the undersigned at the local telephone number listed below to 
discuss any other changes deemed necessaiy. 

Please charge any deficiencies and credit any overpayments to Attorney's Deposit 
Account Number 09-0441. 

Respectfully submitted, 



Dated: 09/05/08 /Frederick W. Gibb, III/ 

Frederick W. Gibb, IE 
Reg. No. 37,629 

Gibb & Rahman, LLC 
2568-A Riva Road 
Suite 304 

Annapolis, MD 21401 
Customer Number: 29154 
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